Network Working Group B. Korver
Request for Comments: 4945 Network Resonance, Inc.
Category: Standards Track August 2007
The Internet IP Security PKI Profile of IKEv1/ISAKMP, IKEv2, and PKIX
Status of This Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The IETF Trust (2007).
Abstract
The Internet Key Exchange (IKE) and Public Key Infrastructure for
X.509 (PKIX) certificate profile both provide frameworks that must be
profiled for use in a given application. This document provides a
profile of IKE and PKIX that defines the requirements for using PKI
technology in the context of IKE/IPsec. The document complements
protocol specifications such as IKEv1 and IKEv2, which assume the
existence of public key certificates and related keying materials,
but which do not address PKI issues explicitly. This document
addresses those issues. The intended audience is implementers of PKI
for IPsec.
Korver Standards Track [Page 1]
RFC 4945 PKI Profile for IKE/ISAKMP/PKIX August 2007
Table of Contents
1. Introduction ....................................................4
2. Terms and Definitions ...........................................4
3. Use of Certificates in RFC 2401 and IKEv1/ISAKMP ................5
3.1. Identification Payload .....................................5
3.1.1. ID_IPV4_ADDR and ID_IPV6_ADDR .......................7
3.1.2. ID_FQDN .............................................9
3.1.3. ID_USER_FQDN .......................................10
3.1.4. ID_IPV4_ADDR_SUBNET, ID_IPV6_ADDR_SUBNET,
ID_IPV4_ADDR_RANGE, ID_IPV6_ADDR_RANGE .............11
3.1.5. ID_DER_ASN1_DN .....................................11
3.1.6. ID_DER_ASN1_GN .....................................12
3.1.7. ID_KEY_ID ..........................................12
3.1.8. Selecting an Identity from a Certificate ...........12
3.1.9. Subject for DN Only ................................12
3.1.10. Binding Identity to Policy ........................13
3.2. Certificate Request Payload ...............................13
3.2.1. Certificate Type ...................................14
3.2.2. X.509 Certificate - Signature ......................14
3.2.3. Revocation Lists (CRL and ARL) .....................14
3.2.4. PKCS #7 wrapped X.509 certificate ..................15
3.2.5. Location of Certificate Request Payloads ...........15
3.2.6. Presence or Absence of Certificate Request
Payloads ...........................................15
3.2.7. Certificate Requests ...............................15
3.2.8. Robustness .........................................18
3.2.9. Optimizations ......................................18
3.3. Certificate Payload .......................................19
3.3.1. Certificate Type ...................................20
3.3.2. X.509 Certificate - Signature ......................20
3.3.3. Revocation Lists (CRL and ARL) .....................20
3.3.4. PKCS #7 Wrapped X.509 Certificate ..................20
3.3.5. Location of Certificate Payloads ...................21
3.3.6. Certificate Payloads Not Mandatory .................21
3.3.7. Response to Multiple Certification
Authority Proposals ................................21
3.3.8. Using Local Keying Materials .......................21
3.3.9. Multiple End-Entity Certificates ...................22
3.3.10. Robustness ........................................22
3.3.11. Optimizations .....................................23
4. Use of Certificates in RFC 4301 and IKEv2 ......................24
4.1. Identification Payload ....................................24
4.2. Certificate Request Payload ...............................24
4.2.1. Revocation Lists (CRL and ARL) .....................24
4.3. Certificate Payload .......................................25
4.3.1. IKEv2's Hash and URL of X.509 Certificate ..........25
4.3.2. Location of Certificate Payloads ...................25
Korver Standards Track [Page 2]
RFC 4945 PKI Profile for IKE/ISAKMP/PKIX August 2007
4.3.3. Ordering of Certificate Payloads ...................25
5. Certificate Profile for IKEv1/ISAKMP and IKEv2 .................26
5.1. X.509 Certificates ........................................26
5.1.1. Versions ...........................................26
5.1.2. Subject ............................................26
5.1.3. X.509 Certificate Extensions .......................27
5.2. X.509 Certificate Revocation Lists ........................33
5.2.1. Multiple Sources of Certificate Revocation
Information ........................................34
5.2.2. X.509 Certificate Revocation List Extensions .......34
5.3. Strength of Signature Hashing Algorithms ..................35
6. Configuration Data Exchange Conventions ........................36
6.1. Certificates ..............................................36
6.2. CRLs and ARLs .............................................37
6.3. Public Keys ...............................................37
6.4. PKCS#10 Certificate Signing Requests ......................37
7. Security Considerations ........................................37
7.1. Certificate Request Payload ...............................37
7.2. IKEv1 Main Mode ...........................................37
7.3. Disabling Certificate Checks ..............................38
8. Acknowledgements ...............................................38
9. References .....................................................38
9.1. Normative References ......................................38
9.2. Informative References ....................................39
Appendix A. The Possible Dangers of Delta CRLs ....................40
Appendix B. More on Empty CERTREQs ................................40
Korver Standards Track [Page 3]
RFC 4945 PKI Profile for IKE/ISAKMP/PKIX August 2007
1. Introduction
IKE [1], ISAKMP [2], and IKEv2 [3] provide a secure key exchange
mechanism for use with IPsec [4] [14]. In many cases, the peers
authenticate using digital certificates as specified in PKIX [5].
Unfortunately, the combination of these standards leads to an
underspecified set of requirements for the use of certificates in the
context of IPsec.
ISAKMP references the PKIX certificate profile but, in many cases,
merely specifies the contents of various messages without specifying
their syntax or semantics. Meanwhile, the PKIX certificate profile
provides a large set of certificate mechanisms that are generally
applicable for Internet protocols, but little specific guidance for
IPsec. Given the numerous underspecified choices, interoperability
is hampered if all implementers do not make similar choices, or at
least fail to account for implementations that have chosen
differently.
This profile of the IKE and PKIX frameworks is intended to provide an
agreed-upon standard for using PKI technology in the context of IPsec
by profiling the PKIX framework for use with IKE and IPsec, and by
documenting the contents of the relevant IKE payloads and further
specifying their semantics.
In addition to providing a profile of IKE and PKIX, this document
attempts to incorporate lessons learned from recent experience with
both implementation and deployment, as well as the current state of
related protocols and technologies.
Material from ISAKMP, IKEv1, IKEv2, or PKIX is not repeated here, and
readers of this document are assumed to have read and understood
those documents. The requirements and security aspects of those
documents are fully relevant to this document as well.
This document is organized as follows. Section 2 defines special
terminology used in the rest of this document, Section 3 provides the
profile of IKEv1/ISAKMP, Section 4 provides a profile of IKEv2, and
Section 5 provides the profile of PKIX. Section 6 covers conventions
for the out-of-band exchange of keying materials for configuration
purposes.
2. Terms and Definitions
Except for those terms that are defined immediately below, all terms
used in this document are defined in either the PKIX [5], ISAKMP [2],
IKEv1 [1], IKEv2 [3], or Domain of Interpretation (DOI) [6]
documents.
Korver Standards Track [Page 4]
RFC 4945 PKI Profile for IKE/ISAKMP/PKIX August 2007
o Peer source address: The source address in packets from a peer.
This address may be different from any addresses asserted as the
"identity" of the peer.
o FQDN: Fully qualified domain name.
o ID_USER_FQDN: IKEv2 renamed ID_USER_FQDN to ID_RFC822_ADDR. Both
are referred to as ID_USER_FQDN in this document.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [7].
3. Use of Certificates in RFC 2401 and IKEv1/ISAKMP
3.1. Identification Payload
The Identification (ID) Payload indicates the identity claimed by the
sender. The recipient can then use the ID as a lookup key for policy
and for certificate lookup in whatever certificate store or directory
that it has available. Our primary concern in this section is to
profile the ID payload so that it can be safely used to generate or
lookup policy. IKE mandates the use of the ID payload in Phase 1.
The DOI [6] defines the 11 types of Identification Data that can be
used and specifies the syntax for these types. These are discussed
below in detail.
The ID payload requirements in this document cover only the portion
of the explicit policy checks that deal with the Identification
Payload specifically. For instance, in the case where ID does not
contain an IP address, checks such as verifying that the peer source
address is permitted by the relevant policy are not addressed here,
as they are out of the scope of this document.
Implementations SHOULD populate ID with identity information that is
contained within the end-entity certificate. Populating ID with
identity information from the end-entity certificate enables
recipients to use ID as a lookup key to find the peer end-entity
certificate. The only case where implementations may populate ID
with information that is not contained in the end-entity certificate
is when ID contains the peer source address (a single address, not a
subnet or range).
Because implementations may use ID as a lookup key to determine which
policy to use, all implementations MUST be especially careful to
verify the truthfulness of the contents by verifying that they
correspond to some keying material demonstrably held by the peer.
Korver Standards Track [Page 5]
RFC 4945 PKI Profile for IKE/ISAKMP/PKIX August 2007
Failure to do so may result in the use of an inappropriate or
insecure policy. The following sections describe the methods for
performing this binding.
The following table summarizes the binding of the Identification
Payload to the contents of end-entity certificates and of identity
information to policy. Each ID type is covered more thoroughly in
the following sections.
ID type | Support | Correspond | Cert | SPD lookup
| for send | PKIX Attrib | matching | rules
-------------------------------------------------------------------
| | | |
IP*_ADDR | MUST [a] | SubjAltName | MUST [b] | [c], [d]
| | iPAddress | |
| | | |
FQDN | MUST [a] | SubjAltName | MUST [b] | [c], [d]
| | dNSName | |
| | | |
USER_FQDN| MUST [a] | SubjAltName | MUST [b] | [c], [d]
| | rfc822Name | |
| | | |
IP range | MUST NOT | n/a | n/a | n/a
| | | |
DN | MUST [a] | Entire | MUST [b] | MUST support lookup
| | Subject, | | on any combination
| | bitwise | | of C, CN, O, or OU
| | compare | |
| | | |
GN | MUST NOT | n/a | n/a | n/a
| | | |
KEY_ID | MUST NOT | n/a | n/a | n/a
| | | |
[a] = Implementation MUST have the configuration option to send this
ID type in the ID payload. Whether or not the ID type is used
is a matter of local configuration.
[b] = The ID in the ID payload MUST match the contents of the
corresponding field (listed) in the certificate exactly, with
no other lookup. The matched ID MAY be used for Security
Policy Database (SPD) lookup, but is not required to be used
for this.
[c] = At a minimum, Implementation MUST be capable of being
configured to perform exact matching of the ID payload contents
to an entry in the local SPD.
Korver Standards Track [Page 6]
RFC 4945 PKI Profile for IKE/ISAKMP/PKIX August 2007
[d] = In addition, the implementation MAY also be configurable to
perform substring or wildcard matches of ID payload contents to
entries in the local SPD. (More on this in Section 3.1.5.)
When sending an IPV4_ADDR, IPV6_ADDR, FQDN, or USER_FQDN,
implementations MUST be able to be configured to send the same string
as it appears in the corresponding SubjectAltName extension. This
document RECOMMENDS that deployers use this configuration option.
All these ID types are treated the same: as strings that can be
compared easily and quickly to a corresponding string in an explicit
value in the certificate. Of these types, FQDN and USER_FQDN are
RECOMMENDED over IP addresses (see discussion in Section 3.1.1).
When sending a Distinguished Name (DN) as ID, implementations MUST
send the entire DN in ID. Also, implementations MUST support at
least the C, CN, O, and OU attributes for SPD matching. See Section
3.1.5 for more details about DN, including SPD matching.
Recipients MUST be able to perform SPD matching on the exact contents
of the ID, and this SHOULD be the default setting. In addition,
implementations MAY use substrings or wildcards in local policy
configuration to do the SPD matching against the ID contents. In
other words, implementations MUST be able to do exact matches of ID
to SPD, but MAY also be configurable to do substring or wildcard
matches of ID to SPD.
3.1.1. ID_IPV4_ADDR and ID_IPV6_ADDR
Implementations MUST support at least the ID_IPV4_ADDR or
ID_IPV6_ADDR ID type, depending on whether the implementation
supports IPv4, IPv6, or both. These addresses MUST be encoded in
"network byte order", as specified in IP [8]: The least significant
bit (LSB) of each octet is the LSB of the corresponding byte in the
network address. For the ID_IPV4_ADDR type, the payload MUST contain
exactly four octets [8]. For the ID_IPV6_ADDR type, the payload MUST
contain exactly sixteen octets [10].
Implementations SHOULD NOT populate ID payload with IP addresses due
to interoperability issues such as problems with Network Address
Translator (NAT) traversal, and problems with IP verification
behavior.
Deployments may only want to consider using the IP address as ID if
all of the following are true:
o the peer's IP address is static, not dynamically changing
o the peer is NOT behind a NAT'ing device
Korver Standards Track [Page 7]
RFC 4945 PKI Profile for IKE/ISAKMP/PKIX August 2007
o the administrator intends the implementation to verify that the
peer source address matches the IP address in the ID received, and
that in the iPAddress field in the peer certificate's
SubjectAltName extension.
Implementations MUST be capable of verifying that the IP address
presented in ID matches via bitwise comparison the IP address present
in the certificate's iPAddress field of the SubjectAltName extension.
Implementations MUST perform this verification by default. When
comparing the contents of ID with the iPAddress field in the
SubjectAltName extension for equality, binary comparison MUST be
performed. Note that certificates may contain multiple address
identity types -- in which case, at least one must match the source
IP. If the default is enabled, then a mismatch between the two
addresses MUST be treated as an error, and security association setup
MUST be aborted. This event SHOULD be auditable. Implementations
MAY provide a configuration option to (i.e., local policy
configuration can enable) skip that verification step, but that
option MUST be off by default. We include the "option-to-skip-
validation" in order to permit better interoperability as current
implementations vary greatly in how they behave on this topic.
In addition, implementations MUST be capable of verifying that the
address contained in the ID is the same as the address contained in
the IP header. Implementations SHOULD be able to check the address
in either the outermost or innermost IP header and MAY provide a
configuration option for specifying which is to be checked. If there
is no configuration option provided, an implementation SHOULD check
the peer source address contained in the outermost header (as is the
practice of most of today's implementations). If ID is one of the IP
address types, then implementations MUST perform this verification by
default. If this default is enabled, then a mismatch MUST be treated
as an error, and security association setup MUST be aborted. This
event SHOULD be auditable. Implementations MAY provide a
configuration option to (i.e. local policy configuration can enable)
skip that verification step, but that option MUST be off by default.
We include the "option-to-skip-validation" in order to permit better
interoperability, as current implementations vary greatly in how they
behave on the topic of verification of source IP.
If the default for both the verifications above are enabled, then, by
transitive property, the implementation will also be verifying that
the peer source IP address matches via a bitwise comparison the
contents of the iPAddress field in the SubjectAltName extension in
the certificate. In addition, implementations MAY allow
administrators to configure a local policy that explicitly requires
that the peer source IP address match via a bitwise comparison the
contents of the iPAddress field in the SubjectAltName extension in
Korver Standards Track [Page 8]
RFC 4945 PKI Profile for IKE/ISAKMP/PKIX August 2007
the certificate. Implementations SHOULD allow administrators to
configure a local policy that skips this validation check.
Implementations MAY support substring, wildcard, or regular
expression matching of the contents of ID to look up the policy in
the SPD, and such would be a matter of local security policy
configuration.
Implementations MAY use the IP address found in the header of packets
received from the peer to look up the policy, but such
implementations MUST still perform verification of the ID payload.
Although packet IP addresses are inherently untrustworthy and must
therefore be independently verified, it is often useful to use the
apparent IP address of the peer to locate a general class of policies
that will be used until the mandatory identity-based policy lookup
can be performed.
For instance, if the IP address of the peer is unrecognized, a VPN
gateway device might load a general "road warrior" policy that
specifies a particular Certification Authority (CA) that is trusted
to issue certificates that contain a valid rfc822Name, which can be
used by that implementation to perform authorization based on access
control lists (ACLs) after the peer's certificate has been validated.
The rfc822Name can then be used to determine the policy that provides
specific authorization to access resources (such as IP addresses,
ports, and so forth).
As another example, if the IP address of the peer is recognized to be
a known peer VPN endpoint, policy may be determined using that
address, but until the identity (address) is validated by validating
the peer certificate, the policy MUST NOT be used to authorize any
IPsec traffic.
3.1.2. ID_FQDN
Implementations MUST support the ID_FQDN ID type, generally to
support host-based access control lists for hosts without fixed IP
addresses. However, implementations SHOULD NOT use the DNS to map
the FQDN to IP addresses for input into any policy decisions, unless
that mapping is known to be secure, for example, if DNSSEC [11] were
employed for that FQDN.
If ID contains an ID_FQDN, implementations MUST be capable of
verifying that the identity contained in the ID payload matches
identity information contained in the peer end-entity certificate, in
the dNSName field in the SubjectAltName extension. Implementations
MUST perform this verification by default. When comparing the
contents of ID with the dNSName field in the SubjectAltName extension
Korver Standards Track [Page 9]
RFC 4945 PKI Profile for IKE/ISAKMP/PKIX August 2007
for equality, case-insensitive string comparison MUST be performed.
Note that case-insensitive string comparison works on
internationalized domain names (IDNs) as well (See IDN [12]).
Substring, wildcard, or regular expression matching MUST NOT be
performed for this comparison. If this default is enabled, then a
mismatch MUST be treated as an error, and security association setup
MUST be aborted. This event SHOULD be auditable. Implementations
MAY provide a configuration option to (i.e., local policy
configuration can enable) skip that verification step, but that
option MUST be off by default. We include the "option-to-skip-
validation" in order to permit better interoperability, as current
implementations vary greatly in how they behave on this topic.
Implementations MAY support substring, wildcard, or regular
expression matching of the contents of ID to look up the policy in
the SPD, and such would be a matter of local security policy
configuration.
3.1.3. ID_USER_FQDN
Implementations MUST support the ID_USER_FQDN ID type, generally to
support user-based access control lists for users without fixed IP
addresses. However, implementations SHOULD NOT use the DNS to map
the FQDN portion to IP addresses for input into any policy decisions,
unless that mapping is known to be secure, for example, if DNSSEC
[11] were employed for that FQDN.
Implementations MUST be capable of verifying that the identity
contained in the ID payload matches identity information contained in
the peer end-entity certificate, in the rfc822Name field in the
SubjectAltName extension. Implementations MUST perform this
verification by default. When comparing the contents of ID with the
rfc822Name field in the SubjectAltName extension for equality, case-
insensitive string comparison MUST be performed. Note that case-
insensitive string comparison works on internationalized domain names
(IDNs) as well (See IDN [12]). Substring, wildcard, or regular
expression matching MUST NOT be performed for this comparison. If
this default is enabled, then a mismatch MUST be treated as an error,
and security association setup MUST be aborted. This event SHOULD be
auditable. Implementations MAY provide a configuration option to
(i.e., local policy configuration can enable) skip that verification
step, but that option MUST be off by default. We include the
"option-to-skip-validation" in order to permit better
interoperability, as current implementations vary greatly in how they
behave on this topic.
Korver Standards Track [Page 10]
RFC 4945 PKI Profile for IKE/ISAKMP/PKIX August 2007
Implementations MAY support substring, wildcard, or regular
expression matching of the contents of ID to look up policy in the
SPD, and such would be a matter of local security policy
configuration.
3.1.4. ID_IPV4_ADDR_SUBNET, ID_IPV6_ADDR_SUBNET, ID_IPV4_ADDR_RANGE,
ID_IPV6_ADDR_RANGE
Note that RFC 3779 [13] defines blocks of addresses using the
certificate extension identified by:
id-pe-ipAddrBlock OBJECT IDENTIFIER ::= { id-pe 7 }
although use of this extension in IKE is considered experimental at
this time.
3.1.5. ID_DER_ASN1_DN
Implementations MUST support receiving the ID_DER_ASN1_DN ID type.
Implementations MUST be capable of generating this type, and the
decision to do so will be a matter of local security policy
configuration. When generating this type, implementations MUST
populate the contents of ID with the Subject field from the end-
entity certificate, and MUST do so such that a binary comparison of
the two will succeed. If there is not a match, this MUST be treated
as an error, and security association setup MUST be aborted. This
event SHOULD be auditable.
Implementations MUST NOT populate ID with the Subject from the end-
entity certificate if it is empty, even though an empty certificate
Subject is explicitly allowed in the "Subject" section of the PKIX
certificate profile.
Regarding SPD matching, implementations MUST be able to perform
matching based on a bitwise comparison of the entire DN in ID to its
entry in the SPD. However, operational experience has shown that
using the entire DN in local configuration is difficult, especially
in large-scale deployments. Therefore, implementations also MUST be
able to perform SPD matches of any combination of one or more of the
C, CN, O, OU attributes within Subject DN in the ID to the same in
the SPD. Implementations MAY support matching using additional DN
attributes in any combination, although interoperability is far from
certain and is dubious. Implementations MAY also support performing
substring, wildcard, or regular expression matches for any of its
supported DN attributes from ID, in any combination, to the SPD.
Such flexibility allows deployers to create one SPD entry on the
gateway for an entire department of a company (e.g., O=Foobar Inc.,
OU=Engineering) while still allowing them to draw out other details
Korver Standards Track [Page 11]
RFC 4945 PKI Profile for IKE/ISAKMP/PKIX August 2007
from the DN (e.g., CN=John Doe) for auditing purposes. All the above
is a matter of local implementation and local policy definition and
enforcement capability, not bits on the wire, but will have a great
impact on interoperability.
3.1.6. ID_DER_ASN1_GN
Implementations MUST NOT generate this type, because the recipient
will be unlikely to know how to use it.
3.1.7. ID_KEY_ID
The ID_KEY_ID type used to specify pre-shared keys and thus is out of
scope.
3.1.8. Selecting an Identity from a Certificate
Implementations MUST support certificates that contain more than a
single identity, such as when the Subject field and the
SubjectAltName extension are both populated, or the SubjectAltName
extension contains multiple identities irrespective of whether or not
the Subject is empty. In many cases, a certificate will contain an
identity, such as an IP address, in the SubjectAltName extension in
addition to a non-empty Subject.
Implementations should populate ID with whichever identity is likely
to be named in the peer's policy. In practice, this generally means
FQDN, or USER_FQDN, but this information may also be available to the
administrator through some out-of-band means. In the absence of such
out-of-band configuration information, the identity with which an
implementation chooses to populate the ID payload is a local matter.
3.1.9. Subject for DN Only
If an FQDN is intended to be processed as an identity for the
purposes of ID matching, it MUST be placed in the dNSName field of
the SubjectAltName extension. Implementations MUST NOT populate the
Subject with an FQDN in place of populating the dNSName field of the
SubjectAltName extension.
While nothing prevents an FQDN, USER_FQDN, or IP address information
from appearing somewhere in the Subject contents, such entries MUST
NOT be interpreted as identity information for the purposes of
matching with ID or for policy lookup.
Korver Standards Track [Page 12]
RFC 4945 PKI Profile for IKE/ISAKMP/PKIX August 2007
3.1.10. Binding Identity to Policy
In the presence of certificates that contain multiple identities,
implementations should select the most appropriate identity from the
certificate and populate the ID with that. The recipient MUST use
the identity sent as a first key when selecting the policy. The
recipient MUST also use the most specific policy from that database
if there are overlapping policies caused by wildcards (or the
implementation can de-correlate the policy database so there will not
be overlapping entries, or it can also forbid creation of overlapping
policies and leave the de-correlation process to the administrator,
but, as this moves the problem to the administrator, it is NOT
RECOMMENDED).
For example, imagine that an implementation is configured with a
certificate that contains both a non-empty Subject and a dNSName.
The sender's policy may specify which of those to use, and it
indicates the policy to the other end by sending that ID. If the
recipient has both a specific policy for the dNSName for this host
and generic wildcard rule for some attributes present in the Subject
field, it will match a different policy depending on which ID is
sent. As the sender knows why it wanted to connect the peer, it also
knows what identity it should use to match the policy it needs to the
operation it tries to perform; it is the only party who can select
the ID adequately.
In the event that the policy cannot be found in the recipient's SPD
using the ID sent, then the recipient MAY use the other identities in
the certificate when attempting to match a suitable policy. For
example, say the certificate contains a non-empty Subject field, a
dNSName and an iPAddress. If an iPAddress is sent in ID but no
specific entry exists for the address in the policy database, the
recipient MAY search in the policy database based on the Subject or
the dNSName contained in the certificate.
3.2. Certificate Request Payload
The Certificate Request (CERTREQ) Payload allows an implementation to
request that a peer provide some set of certificates or certificate
revocation lists (CRLs). It is not clear from ISAKMP exactly how
that set should be specified or how the peer should respond. We
describe the semantics on both sides.
Korver Standards Track [Page 13]
RFC 4945 PKI Profile for IKE/ISAKMP/PKIX August 2007
3.2.1. Certificate Type
The Certificate Type field identifies to the peer the type of
certificate keying materials that are desired. ISAKMP defines 10
types of Certificate Data that can be requested and specifies the
syntax for these types. For the purposes of this document, only the
following types are relevant:
o X.509 Certificate - Signature
o Revocation Lists (CRL and ARL)
o PKCS #7 wrapped X.509 certificate
The use of the other types are out of the scope of this document:
o X.509 Certificate - Key Exchange
o PGP (Pretty Good Privacy) Certificate
o DNS Signed Key
o Kerberos Tokens
o SPKI (Simple Public Key Infrastructure) Certificate
o X.509 Certificate Attribute
3.2.2. X.509 Certificate - Signature
This type requests that the end-entity certificate be a certificate
used for signing.
3.2.3. Revocation Lists (CRL and ARL)
ISAKMP does not support Certificate Payload sizes over approximately
64K, which is too small for many CRLs, and UDP fragmentation is
likely to occur at sizes much smaller than that. Therefore, the
acquisition of revocation material is to be dealt with out-of-band of
IKE. For this and other reasons, implementations SHOULD NOT generate
CERTREQs where the Certificate Type is "Certificate Revocation List
(CRL)" or "Authority Revocation List (ARL)". Implementations that do
generate such CERTREQs MUST NOT require the recipient to respond with
a CRL or ARL, and MUST NOT fail when not receiving any. Upon receipt
of such a CERTREQ, implementations MAY ignore the request.
In lieu of exchanging revocation lists in-band, a pointer to
revocation checking SHOULD be listed in either the
CRLDistributionPoints (CDP) or the AuthorityInfoAccess (AIA)
certificate extensions (see Section 5 for details). Unless other
methods for obtaining revocation information are available,
implementations SHOULD be able to process these attributes, and from
them be able to identify cached revocation material, or retrieve the
relevant revocation material from a URL, for validation processing.
In addition, implementations MUST have the ability to configure
Korver Standards Track [Page 14]
RFC 4945 PKI Profile for IKE/ISAKMP/PKIX August 2007
validation checking information for each certification authority.
Regardless of the method (CDP, AIA, or static configuration), the
acquisition of revocation material SHOULD occur out-of-band of IKE.
Note, however, that an inability to access revocation status data
through out-of-band means provides a potential security vulnerability
that could potentially be exploited by an attacker.
3.2.4. PKCS #7 wrapped X.509 certificate
This ID type defines a particular encoding (not a particular
certificate type); some current implementations may ignore CERTREQs
they receive that contain this ID type, and the editors are unaware
of any implementations that generate such CERTREQ messages.
Therefore, the use of this type is deprecated. Implementations
SHOULD NOT require CERTREQs that contain this Certificate Type.
Implementations that receive CERTREQs that contain this ID type MAY
treat such payloads as synonymous with "X.509 Certificate -
Signature".
3.2.5. Location of Certificate Request Payloads
In IKEv1 Main Mode, the CERTREQ payload MUST be in messages 4 and 5.
3.2.6. Presence or Absence of Certificate Request Payloads
When in-band exchange of certificate keying materials is desired,
implementations MUST inform the peer of this by sending at least one
CERTREQ. In other words, an implementation that does not send any
CERTREQs during an exchange SHOULD NOT expect to receive any CERT
payloads.
3.2.7. Certificate Requests
3.2.7.1. Specifying Certification Authorities
When requesting in-band exchange of keying materials, implementations
SHOULD generate CERTREQs for every peer trust anchor that local
policy explicitly deems trusted during a given exchange.
Implementations SHOULD populate the Certification Authority field
with the Subject field of the trust anchor, populated such that
binary comparison of the Subject and the Certification Authority will
succeed.
Korver Standards Track [Page 15]
RFC 4945 PKI Profile for IKE/ISAKMP/PKIX August 2007
Upon receipt of a CERTREQ, implementations MUST respond by sending at
least the end-entity certificate corresponding to the Certification
Authority listed in the CERTREQ unless local security policy
configuration specifies that keying materials must be exchanged out-
of-band. Implementations MAY send certificates other than the end-
entity certificate (see Section 3.3 for discussion).
Note that, in the case where multiple end-entity certificates may be
available that chain to different trust anchors, implementations
SHOULD resort to local heuristics to determine which trust anchor is
most appropriate to use for generating the CERTREQ. Such heuristics
are out of the scope of this document.
3.2.7.2. Empty Certification Authority Field
Implementations SHOULD generate CERTREQs where the Certificate Type
is "X.509 Certificate - Signature" and where the Certification
Authority field is not empty. However, implementations MAY generate
CERTREQs with an empty Certification Authority field under special
conditions. Although PKIX prohibits certificates with an empty
Issuer field, there does exist a use case where doing so is
appropriate, and carries special meaning in the IKE context. This
has become a convention within the IKE interoperability tests and
usage space, and so its use is specified, explained here for the sake
of interoperability.
USE CASE: Consider the rare case where you have a gateway with
multiple policies for a large number of IKE peers: some of these
peers are business partners, some are remote-access employees, some
are teleworkers, some are branch offices, and/or the gateway may be
simultaneously serving many customers (e.g., Virtual Routers). The
total number of certificates, and corresponding trust anchors, is
very high -- say, hundreds. Each of these policies is configured
with one or more acceptable trust anchors, so that in total, the
gateway has one hundred (100) trust anchors that could possibly used
to authenticate an incoming connection. Assume that many of those
connections originate from hosts/gateways with dynamically assigned
IP addresses, so that the source IP of the IKE initiator is not known
to the gateway, nor is the identity of the initiator (until it is
revealed in Main Mode message 5). In IKE main mode message 4, the
responder gateway will need to send a CERTREQ to the initiator.
Given this example, the gateway will have no idea which of the
hundred possible Certification Authorities to send in the CERTREQ.
Sending all possible Certification Authorities will cause significant
processing delays, bandwidth consumption, and UDP fragmentation, so
this tactic is ruled out.
Korver Standards Track [Page 16]
RFC 4945 PKI Profile for IKE/ISAKMP/PKIX August 2007
In such a deployment, the responder gateway implementation should be
able to do all it can to indicate a Certification Authority in the
CERTREQ. This means the responder SHOULD first check SPD to see if
it can match the source IP, and find some indication of which CA is
associated with that IP. If this fails (because the source IP is not
familiar, as in the case above), then the responder SHOULD have a
configuration option specifying which CAs are the default CAs to
indicate in CERTREQ during such ambiguous connections (e.g., send
CERTREQ with these N CAs if there is an unknown source IP). If such
a fall-back is not configured or impractical in a certain deployment
scenario, then the responder implementation SHOULD have both of the
following configuration options:
o send a CERTREQ payload with an empty Certification Authority
field, or
o terminate the negotiation with an appropriate error message and
audit log entry.
Receiving a CERTREQ payload with an empty Certification Authority
field indicates that the recipient should send all/any end-entity
certificates it has, regardless of the trust anchor. The initiator
should be aware of what policy and which identity it will use, as it
initiated the connection on a matched policy to begin with, and can
thus respond with the appropriate certificate.
If, after sending an empty CERTREQ in Main Mode message 4, a
responder receives a certificate in message 5 that chains to a trust
anchor that the responder either (a) does NOT support, or (b) was not
configured for the policy (that policy was now able to be matched due
to having the initiator's certificate present), this MUST be treated
as an error, and security association setup MUST be aborted. This
event SHOULD be auditable.
Instead of sending an empty CERTREQ, the responder implementation MAY
be configured to terminate the negotiation on the grounds of a
conflict with locally configured security policy.
The decision of which to configure is a matter of local security
policy; this document RECOMMENDS that both options be presented to
administrators.
More examples and explanation of this issue are included in "More on
Empty CERTREQs" (Appendix B).
Korver Standards Track [Page 17]
RFC 4945 PKI Profile for IKE/ISAKMP/PKIX August 2007
3.2.8. Robustness
3.2.8.1. Unrecognized or Unsupported Certificate Types
Implementations MUST be able to deal with receiving CERTREQs with
unsupported Certificate Types. Absent any recognized and supported
CERTREQ types, implementations MAY treat them as if they are of a
supported type with the Certification Authority field left empty,
depending on local policy. ISAKMP [2] Section 5.10, "Certificate
Request Payload Processing", specifies additional processing.
3.2.8.2. Undecodable Certification Authority Fields
Implementations MUST be able to deal with receiving CERTREQs with
undecodable Certification Authority fields. Implementations MAY
ignore such payloads, depending on local policy. ISAKMP specifies
other actions which may be taken.
3.2.8.3. Ordering of Certificate Request Payloads
Implementations MUST NOT assume that CERTREQs are ordered in any way.
3.2.9. Optimizations
3.2.9.1. Duplicate Certificate Request Payloads
Implementations SHOULD NOT send duplicate CERTREQs during an
exchange.
3.2.9.2. Name Lowest 'Common' Certification Authorities
When a peer's certificate keying material has been cached, an
implementation can send a hint to the peer to elide some of the
certificates the peer would normally include in the response. In
addition to the normal set of CERTREQs that are sent specifying the
trust anchors, an implementation MAY send CERTREQs specifying the
relevant cached end-entity certificates. When sending these hints,
it is still necessary to send the normal set of trust anchor CERTREQs
because the hints do not sufficiently convey all of the information
required by the peer. Specifically, either the peer may not support
this optimization or there may be additional chains that could be
used in this context but will not be if only the end-entity
certificate is specified.
No special processing is required on the part of the recipient of
such a CERTREQ, and the end-entity certificates will still be sent.
On the other hand, the recipient MAY elect to elide certificates
based on receipt of such hints.
Korver Standards Track [Page 18]
RFC 4945 PKI Profile for IKE/ISAKMP/PKIX August 2007
CERTREQs must contain information that identifies a Certification
Authority certificate, which results in the peer always sending at
least the end-entity certificate. Always sending the end-entity
certificate allows implementations to determine unambiguously when a
new certificate is being used by a peer (perhaps because the previous
certificate has just expired), which may result in a failure because
a new intermediate CA certificate might not be available to validate
the new end-entity certificate). Implementations that implement this
optimization MUST recognize when the end-entity certificate has
changed and respond to it by not performing this optimization if the
exchange must be retried so that any missing keying materials will be
sent during retry.
3.2.9.3. Example
Imagine that an IKEv1 implementation has previously received and
cached the peer certificate chain TA->CA1->CA2->EE. If, during a
subsequent exchange, this implementation sends a CERTREQ containing
the Subject field in certificate TA, this implementation is
requesting that the peer send at least three certificates: CA1, CA2,
and EE. On the other hand, if this implementation also sends a
CERTREQ containing the Subject field of CA2, the implementation is
providing a hint that only one certificate needs to be sent: EE.
Note that in this example, the fact that TA is a trust anchor should
not be construed to imply that TA is a self-signed certificate.
3.3. Certificate Payload
The Certificate (CERT) Payload allows the peer to transmit a single
certificate or CRL. Multiple certificates should be transmitted in
multiple payloads. For backwards-compatibility reasons,
implementations MAY send intermediate CA certificates in addition to
the appropriate end-entity certificate(s), but SHOULD NOT send any
CRLs, ARLs, or trust anchors. Exchanging trust anchors and
especially CRLs and ARLs in IKE would increase the likelihood of UDP
fragmentation, make the IKE exchange more complex, and consume
additional network bandwidth.
Note, however, that while the sender of the CERT payloads SHOULD NOT
send any certificates it considers trust anchors, it's possible that
the recipient may consider any given intermediate CA certificate to
be a trust anchor. For instance, imagine the sender has the
certificate chain TA1->CA1->EE1 while the recipient has the
certificate chain TA2->EE2 where TA2=CA1. The sender is merely
including an intermediate CA certificate, while the recipient
receives a trust anchor.
Korver Standards Track [Page 19]
RFC 4945 PKI Profile for IKE/ISAKMP/PKIX August 2007
However, not all certificate forms that are legal in the PKIX
certificate profile make sense in the context of IPsec. The issue of
how to represent IKE-meaningful name-forms in a certificate is
especially problematic. This document provides a profile for a
subset of the PKIX certificate profile that makes sense for IKEv1/
ISAKMP.
3.3.1. Certificate Type
The Certificate Type field identifies to the peer the type of
certificate keying materials that are included. ISAKMP defines 10
types of Certificate Data that can be sent and specifies the syntax
for these types. For the purposes of this document, only the
following types are relevant:
o X.509 Certificate - Signature
o Revocation Lists (CRL and ARL)
o PKCS #7 wrapped X.509 certificate
The use of the other types are out of the scope of this document:
o X.509 Certificate - Key Exchange
o PGP Certificate
o DNS Signed Key
o Kerberos Tokens
o SPKI Certificate
o X.509 Certificate Attribute
3.3.2. X.509 Certificate - Signature
This type specifies that Certificate Data contains a certificate used
for signing.
3.3.3. Revocation Lists (CRL and ARL)
These types specify that Certificate Data contains an X.509 CRL or
ARL. These types SHOULD NOT be sent in IKE. See Section 3.2.3 for
discussion.
3.3.4. PKCS #7 Wrapped X.509 Certificate
This type defines a particular encoding, not a particular certificate
type. Implementations SHOULD NOT generate CERTs that contain this
Certificate Type. Implementations SHOULD accept CERTs that contain
this Certificate Type because several implementations are known to
generate them. Note that those implementations sometimes include
Korver Standards Track [Page 20]
RFC 4945 PKI Profile for IKE/ISAKMP/PKIX August 2007
entire certificate hierarchies inside a single CERT PKCS #7 payload,
which violates the requirement specified in ISAKMP that this payload
contain a single certificate.
3.3.5. Location of Certificate Payloads
In IKEv1 Main Mode, the CERT payload MUST be in messages 5 and 6.
3.3.6. Certificate Payloads Not Mandatory
An implementation that does not receive any CERTREQs during an
exchange SHOULD NOT send any CERT payloads, except when explicitly
configured to proactively send CERT payloads in order to interoperate
with non-compliant implementations that fail to send CERTREQs even
when certificates are desired. In this case, an implementation MAY
send the certificate chain (not including the trust anchor)
associated with the end-entity certificate. This MUST NOT be the
default behavior of implementations.
Implementations whose local security policy configuration expects
that a peer must receive certificates through out-of-band means
SHOULD ignore any CERTREQ messages that are received. Such a
condition has been known to occur due to non-compliant or buggy
implementations.
Implementations that receive CERTREQs from a peer that contain only
unrecognized Certification Authorities MAY elect to terminate the
exchange, in order to avoid unnecessary and potentially expensive
cryptographic processing, denial-of-service (resource starvation)
attacks.
3.3.7. Response to Multiple Certification Authority Proposals
In response to multiple CERTREQs that contain different Certification
Authority identities, implementations MAY respond using an end-entity
certificate which chains to a CA that matches any of the identities
provided by the peer.
3.3.8. Using Local Keying Materials
Implementations MAY elect to skip parsing or otherwise decoding a
given set of CERTs if those same keying materials are available via
some preferable means, such as the case where certificates from a
previous exchange have been cached.
Korver Standards Track [Page 21]
RFC 4945 PKI Profile for IKE/ISAKMP/PKIX August 2007
3.3.9. Multiple End-Entity Certificates
Implementations SHOULD NOT send multiple end-entity certificates and
recipients SHOULD NOT be expected to iterate over multiple end-entity
certificates.
If multiple end-entity certificates are sent, they MUST have the same
public key; otherwise, the responder does not know which key was used
in the Main Mode message 5.
3.3.10. Robustness
3.3.10.1. Unrecognized or Unsupported Certificate Types
Implementations MUST be able to deal with receiving CERTs with
unrecognized or unsupported Certificate Types. Implementations MAY
discard such payloads, depending on local policy. ISAKMP [2] Section
5.10, "Certificate Request Payload Processing", specifies additional
processing.
3.3.10.2. Undecodable Certificate Data Fields
Implementations MUST be able to deal with receiving CERTs with
undecodable Certificate Data fields. Implementations MAY discard
such payloads, depending on local policy. ISAKMP specifies other
actions that may be taken.
3.3.10.3. Ordering of Certificate Payloads
Implementations MUST NOT assume that CERTs are ordered in any way.
3.3.10.4. Duplicate Certificate Payloads
Implementations MUST support receiving multiple identical CERTs
during an exchange.
3.3.10.5. Irrelevant Certificates
Implementations MUST be prepared to receive certificates and CRLs
that are not relevant to the current exchange. Implementations MAY
discard such extraneous certificates and CRLs.
Implementations MAY send certificates that are irrelevant to an
exchange. One reason for including certificates that are irrelevant
to an exchange is to minimize the threat of leaking identifying
information in exchanges where CERT is not encrypted in IKEv1. It
should be noted, however, that this probably provides rather poor
protection against leaking the identity.
Korver Standards Track [Page 22]
RFC 4945 PKI Profile for IKE/ISAKMP/PKIX August 2007
Another reason for including certificates that seem irrelevant to an
exchange is that there may be two chains from the Certification
Authority to the end entity, each of which is only valid with certain
validation parameters (such as acceptable policies). Since the end-
entity doesn't know which parameters the relying party is using, it
should send the certificates needed for both chains (even if there's
only one CERTREQ).
Implementations SHOULD NOT send multiple end-entity certificates and
recipients SHOULD NOT be expected to iterate over multiple end-entity
certificates.
3.3.11. Optimizations
3.3.11.1. Duplicate Certificate Payloads
Implementations SHOULD NOT send duplicate CERTs during an exchange.
Such payloads should be suppressed.
3.3.11.2. Send Lowest 'Common' Certificates
When multiple CERTREQs are received that specify certification
authorities within the end-entity certificate chain, implementations
MAY send the shortest chain possible. However, implementations
SHOULD always send the end-entity certificate. See Section 3.2.9.2
for more discussion of this optimization.
3.3.11.3. Ignore Duplicate Certificate Payloads
Implementations MAY employ local means to recognize CERTs that have
already been received and SHOULD discard these duplicate CERTs.
3.3.11.4. Hash Payload
IKEv1 specifies the optional use of the Hash Payload to carry a
pointer to a certificate in either of the Phase 1 public key
encryption modes. This pointer is used by an implementation to
locate the end-entity certificate that contains the public key that a
peer should use for encrypting payloads during the exchange.
Implementations SHOULD include this payload whenever the public
portion of the keypair has been placed in a certificate.
Korver Standards Track [Page 23]
RFC 4945 PKI Profile for IKE/ISAKMP/PKIX August 2007
4. Use of Certificates in RFC 4301 and IKEv2
4.1. Identification Payload
The Peer Authorization Database (PAD) as described in RFC 4301 [14]
describes the use of the ID payload in IKEv2 and provides a formal
model for the binding of identity to policy in addition to providing
services that deal more specifically with the details of policy
enforcement, which are generally out of scope of this document. The
PAD is intended to provide a link between the SPD and the security
association management in protocols such as IKE. See RFC 4301 [14],
Section 4.4.3 for more details.
Note that IKEv2 adds an optional IDr payload in the second exchange
that the initiator may send to the responder in order to specify
which of the responder's multiple identities should be used. The
responder MAY choose to send an IDr in the third exchange that
differs in type or content from the initiator-generated IDr. The
initiator MUST be able to receive a responder-generated IDr that is a
different type from the one the initiator generated.
4.2. Certificate Request Payload
4.2.1. Revocation Lists (CRL and ARL)
IKEv2 does not support Certificate Payload sizes over approximately
64K. See Section 3.2.3 for the problems this can cause.
4.2.1.1. IKEv2's Hash and URL of X.509 certificate
This ID type defines a request for the peer to send a hash and URL of
its X.509 certificate, instead of the actual certificate itself.
This is a particularly useful mechanism when the peer is a device
with little memory and lower bandwidth, e.g., a mobile handset or
consumer electronics device.
If the IKEv2 implementation supports URL lookups, and prefers such a
URL to receiving actual certificates, then the implementation will
want to send a notify of type HTTP_CERT_LOOKUP_SUPPORTED. From IKEv2
[3], Section 3.10.1, "This notification MAY be included in any
message that can include a CERTREQ payload and indicates that the
sender is capable of looking up certificates based on an HTTP-based
URL (and hence presumably would prefer to receive certificate
specifications in that format)". If an HTTP_CERT_LOOKUP_SUPPORTED
notification is sent, the sender MUST support the http scheme. See
Section 4.3.1 for more discussion of HTTP_CERT_LOOKUP_SUPPORTED.
Korver Standards Track [Page 24]
RFC 4945 PKI Profile for IKE/ISAKMP/PKIX August 2007
4.2.1.2. Location of Certificate Request Payloads
In IKEv2, the CERTREQ payload must be in messages 2 and 3. Note that
in IKEv2, it is possible to have one side authenticating with
certificates while the other side authenticates with pre-shared keys.
4.3. Certificate Payload
4.3.1. IKEv2's Hash and URL of X.509 Certificate
This type specifies that Certificate Data contains a hash and the URL
to a repository where an X.509 certificate can be retrieved.
An implementation that sends an HTTP_CERT_LOOKUP_SUPPORTED
notification MUST support the http scheme and MAY support the ftp
scheme, and MUST NOT require any specific form of the url-path, and
it SHOULD support having user-name, password, and port parts in the
URL. The following are examples of mandatory forms:
o http://certs.example.com/certificate.cer
o http://certs.example.com/certs/cert.pl?u=foo;a=pw;valid-to=+86400
o http://certs.example.com/%0a/../foo/bar/zappa
while the following is an example of a form that SHOULD be supported:
o http://user:password@certs.example.com:8888/certificate.cer
FTP MAY be supported, and if it is, the following is an example of
the ftp scheme that MUST be supported:
o ftp://ftp.example.com/pub/certificate.cer
4.3.2. Location of Certificate Payloads
In IKEv2, the CERT payload MUST be in messages 3 and 4. Note that in
IKEv2, it is possible to have one side authenticating with
certificates while the other side authenticates with pre-shared keys.
4.3.3. Ordering of Certificate Payloads
For IKEv2, implementations MUST NOT assume that any but the first
CERT is ordered in any way. IKEv2 specifies that the first CERT
contain an end-entity certificate that can be used to authenticate
the peer.
Korver Standards Track [Page 25]
RFC 4945 PKI Profile for IKE/ISAKMP/PKIX August 2007
5. Certificate Profile for IKEv1/ISAKMP and IKEv2
Except where specifically stated in this document, implementations
MUST conform to the requirements of the PKIX [5] certificate profile.
5.1. X.509 Certificates
Users deploying IKE and IPsec with certificates have often had little
control over the capabilities of CAs available to them.
Implementations of this specification may include configuration knobs
to disable checks required by this specification in order to permit
use with inflexible and/or noncompliant CAs. However, all checks on
certificates exist for a specific reason involving the security of
the entire system. Therefore, all checks MUST be enabled by default.
Administrators and users ought to understand the security purpose for
the various checks, and be clear on what security will be lost by
disabling the check.
5.1.1. Versions
Although PKIX states that "implementations SHOULD be prepared to
accept any version certificate", in practice, this profile requires
certain extensions that necessitate the use of Version 3 certificates
for all but self-signed certificates used as trust anchors.
Implementations that conform to this document MAY therefore reject
Version 1 and Version 2 certificates in all other cases.
5.1.2. Subject
Certification Authority implementations MUST be able to create
certificates with Subject fields with at least the following four
attributes: CN, C, O, and OU. Implementations MAY support other
Subject attributes as well. The contents of these attributes SHOULD
be configurable on a certificate-by-certificate basis, as these
fields will likely be used by IKE implementations to match SPD
policy.
See Section 3.1.5 for details on how IKE implementations need to be
able to process Subject field attributes for SPD policy lookup.
5.1.2.1. Empty Subject Name
IKE Implementations MUST accept certificates that contain an empty
Subject field, as specified in the PKIX certificate profile.
Identity information in such certificates will be contained entirely
in the SubjectAltName extension.
Korver Standards Track [Page 26]
RFC 4945 PKI Profile for IKE/ISAKMP/PKIX August 2007
5.1.2.2. Specifying Hosts and not FQDN in the Subject Name
Implementations that desire to place host names that are not intended
to be processed by recipients as FQDNs (for instance "Gateway
Router") in the Subject MUST use the commonName attribute.
5.1.2.3. EmailAddress
As specified in the PKIX certificate profile, implementations MUST
NOT populate X.500 distinguished names with the emailAddress
attribute.
5.1.3. X.509 Certificate Extensions
Conforming IKE implementations MUST recognize extensions that must or
may be marked critical according to this specification. These
extensions are: KeyUsage, SubjectAltName, and BasicConstraints.
Certification Authority implementations SHOULD generate certificates
such that the extension criticality bits are set in accordance with
the PKIX certificate profile and this document. With respect to
compliance with the PKIX certificate profile, IKE implementations
processing certificates MAY ignore the value of the criticality bit
for extensions that are supported by that implementation, but MUST
support the criticality bit for extensions that are not supported by
that implementation. That is, a relying party SHOULD processes all
the extensions it is aware of whether the bit is true or false -- the
bit says what happens when a relying party cannot process an
extension.
implements bit in cert PKIX mandate behavior
------------------------------------------------------
yes true true ok
yes true false ok or reject
yes false true ok or reject
yes false false ok
no true true reject
no true false reject
no false true reject
no false false ok
5.1.3.1. AuthorityKeyIdentifier and SubjectKeyIdentifier
Implementations SHOULD NOT assume support for the
AuthorityKeyIdentifier or SubjectKeyIdentifier extensions. Thus,
Certification Authority implementations should not generate
certificate hierarchies that are overly complex to process in the
absence of these extensions, such as those that require possibly
Korver Standards Track [Page 27]
RFC 4945 PKI Profile for IKE/ISAKMP/PKIX August 2007
verifying a signature against a large number of similarly named CA
certificates in order to find the CA certificate that contains the
key that was used to generate the signature.
5.1.3.2. KeyUsage
IKE uses an end-entity certificate in the authentication process.
The end-entity certificate may be used for multiple applications. As
such, the CA can impose some constraints on the manner that a public
key ought to be used. The KeyUsage (KU) and ExtendedKeyUsage (EKU)
extensions apply in this situation.
Since we are talking about using the public key to validate a
signature, if the KeyUsage extension is present, then at least one of
the digitalSignature or the nonRepudiation bits in the KeyUsage
extension MUST be set (both can be set as well). It is also fine if
other KeyUsage bits are set.
A summary of the logic flow for peer cert validation follows:
o If no KU extension, continue.
o If KU present and doesn't mention digitalSignature or
nonRepudiation (both, in addition to other KUs, is also fine),
reject cert.
o If none of the above, continue.
5.1.3.3. PrivateKeyUsagePeriod
The PKIX certificate profile recommends against the use of this
extension. The PrivateKeyUsageExtension is intended to be used when
signatures will need to be verified long past the time when
signatures using the private keypair may be generated. Since IKE
security associations (SAs) are short-lived relative to the intended
use of this extension in addition to the fact that each signature is
validated only a single time, the usefulness of this extension in the
context of IKE is unclear. Therefore, Certification Authority
implementations MUST NOT generate certificates that contain the
PrivateKeyUsagePeriod extension. If an IKE implementation receives a
certificate with this set, it SHOULD ignore it.
Korver Standards Track [Page 28]
RFC 4945 PKI Profile for IKE/ISAKMP/PKIX August 2007
5.1.3.4. CertificatePolicies
Many IKE implementations do not currently provide support for the
CertificatePolicies extension. Therefore, Certification Authority
implementations that generate certificates that contain this
extension SHOULD NOT mark the extension as critical. As is the case
with all certificate extensions, a relying party receiving this
extension but who can process the extension SHOULD NOT reject the
certificate because it contains the extension.
5.1.3.5. PolicyMappings
Many IKE implementations do not support the PolicyMappings extension.
Therefore, implementations that generate certificates that contain
this extension SHOULD NOT mark the extension as critical.
5.1.3.6. SubjectAltName
Deployments that intend to use an ID of FQDN, USER_FQDN, IPV4_ADDR,
or IPV6_ADDR MUST issue certificates with the corresponding
SubjectAltName fields populated with the same data. Implementations
SHOULD generate only the following GeneralName choices in the
SubjectAltName extension, as these choices map to legal IKEv1/ISAKMP/
IKEv2 Identification Payload types: rfc822Name, dNSName, or
iPAddress. Although it is possible to specify any GeneralName choice
in the Identification Payload by using the ID_DER_ASN1_GN ID type,
implementations SHOULD NOT assume support for such functionality, and
SHOULD NOT generate certificates that do so.
5.1.3.6.1. dNSName
If the IKE ID type is FQDN, then this field MUST contain a fully
qualified domain name. If the IKE ID type is FQDN, then the dNSName
field MUST match its contents. Implementations MUST NOT generate
names that contain wildcards. Implementations MAY treat certificates
that contain wildcards in this field as syntactically invalid.
Although this field is in the form of an FQDN, IKE implementations
SHOULD NOT assume that this field contains an FQDN that will resolve
via the DNS, unless this is known by way of some out-of-band
mechanism. Such a mechanism is out of the scope of this document.
Implementations SHOULD NOT treat the failure to resolve as an error.
Korver Standards Track [Page 29]
RFC 4945 PKI Profile for IKE/ISAKMP/PKIX August 2007
5.1.3.6.2. iPAddress
If the IKE ID type is IPV4_ADDR or IPV6_ADDR, then the iPAddress
field MUST match its contents. Note that although PKIX permits CIDR
[15] notation in the "Name Constraints" extension, the PKIX
certificate profile explicitly prohibits using CIDR notation for
conveying identity information. In other words, the CIDR notation
MUST NOT be used in the SubjectAltName extension.
5.1.3.6.3. rfc822Name
If the IKE ID type is USER_FQDN, then the rfc822Name field MUST match
its contents. Although this field is in the form of an Internet mail
address, IKE implementations SHOULD NOT assume that this field
contains a valid email address, unless this is known by way of some
out-of-band mechanism. Such a mechanism is out of the scope of this
document.
5.1.3.7. IssuerAltName
Certification Authority implementations SHOULD NOT assume that other
implementations support the IssuerAltName extension, and especially
should not assume that information contained in this extension will
be displayed to end users.
5.1.3.8. SubjectDirectoryAttributes
The SubjectDirectoryAttributes extension is intended to convey
identification attributes of the subject. IKE implementations MAY
ignore this extension when it is marked non-critical, as the PKIX
certificate profile mandates.
5.1.3.9. BasicConstraints
The PKIX certificate profile mandates that CA certificates contain
this extension and that it be marked critical. IKE implementations
SHOULD reject CA certificates that do not contain this extension.
For backwards compatibility, implementations may accept such
certificates if explicitly configured to do so, but the default for
this setting MUST be to reject such certificates.
5.1.3.10. NameConstraints
Many IKE implementations do not support the NameConstraints
extension. Since the PKIX certificate profile mandates that this
extension be marked critical when present, Certification Authority
implementations that are interested in maximal interoperability for
IKE SHOULD NOT generate certificates that contain this extension.
Korver Standards Track [Page 30]
RFC 4945 PKI Profile for IKE/ISAKMP/PKIX August 2007
5.1.3.11. PolicyConstraints
Many IKE implementations do not support the PolicyConstraints
extension. Since the PKIX certificate profile mandates that this
extension be marked critical when present, Certification Authority
implementations that are interested in maximal interoperability for
IKE SHOULD NOT generate certificates that contain this extension.
5.1.3.12. ExtendedKeyUsage
The CA SHOULD NOT include the ExtendedKeyUsage (EKU) extension in
certificates for use with IKE. Note that there were three IPsec-
related object identifiers in EKU that were assigned in 1999. The
semantics of these values were never clearly defined. The use of
these three EKU values in IKE/IPsec is obsolete and explicitly
deprecated by this specification. CAs SHOULD NOT issue certificates
for use in IKE with them. (For historical reference only, those
values were id-kp-ipsecEndSystem, id-kp-ipsecTunnel, and id-kp-
ipsecUser.)
The CA SHOULD NOT mark the EKU extension in certificates for use with
IKE and one or more other applications. Nevertheless, this document
defines an ExtendedKeyUsage keyPurposeID that MAY be used to limit a
certificate's use:
id-kp-ipsecIKE OBJECT IDENTIFIER ::= { id-kp 17 }
where id-kp is defined in RFC 3280 [5]. If a certificate is intended
to be used with both IKE and other applications, and one of the other
applications requires use of an EKU value, then such certificates
MUST contain either the keyPurposeID id-kp-ipsecIKE or
anyExtendedKeyUsage [5], as well as the keyPurposeID values
associated with the other applications. Similarly, if a CA issues
multiple otherwise-similar certificates for multiple applications
including IKE, and it is intended that the IKE certificate NOT be
used with another application, the IKE certificate MAY contain an EKU
extension listing a keyPurposeID of id-kp-ipsecIKE to discourage its
use with the other application. Recall, however, that EKU extensions
in certificates meant for use in IKE are NOT RECOMMENDED.
Conforming IKE implementations are not required to support EKU. If a
critical EKU extension appears in a certificate and EKU is not
supported by the implementation, then RFC 3280 requires that the
certificate be rejected. Implementations that do support EKU MUST
support the following logic for certificate validation:
Korver Standards Track [Page 31]
RFC 4945 PKI Profile for IKE/ISAKMP/PKIX August 2007
o If no EKU extension, continue.
o If EKU present AND contains either id-kp-ipsecIKE or
anyExtendedKeyUsage, continue.
o Otherwise, reject cert.
5.1.3.13. CRLDistributionPoints
Because this document deprecates the sending of CRLs in-band, the use
of CRLDistributionPoints (CDP) becomes very important if CRLs are
used for revocation checking (as opposed to, say, Online Certificate
Status Protocol - OCSP [16]). The IPsec peer either needs to have a
URL for a CRL written into its local configuration, or it needs to
learn it from CDP. Therefore, Certification Authority
implementations SHOULD issue certificates with a populated CDP.
Failure to validate the CRLDistributionPoints/
IssuingDistributionPoint pair can result in CRL substitution where an
entity knowingly substitutes a known good CRL from a different
distribution point for the CRL that is supposed to be used, which
would show the entity as revoked. IKE implementations MUST support
validating that the contents of CRLDistributionPoints match those of
the IssuingDistributionPoint to prevent CRL substitution when the
issuing CA is using them. At least one CA is known to default to
this type of CRL use. See Section 5.2.2.5 for more information.
CDPs SHOULD be "resolvable". Several non-compliant Certification
Authority implementations are well known for including unresolvable
CDPs like http://localhost/path_to_CRL and http:///path_to_CRL that
are equivalent to failing to include the CDP extension in the
certificate.
See the IETF IPR Web page for CRLDistributionPoints intellectual
property rights (IPR) information. Note that both the
CRLDistributionPoints and IssuingDistributionPoint extensions are
RECOMMENDED but not REQUIRED by the PKIX certificate profile, so
there is no requirement to license any IPR.
5.1.3.14. InhibitAnyPolicy
Many IKE implementations do not support the InhibitAnyPolicy
extension. Since the PKIX certificate profile mandates that this
extension be marked critical when present, Certification Authority
implementations that are interested in maximal interoperability for
IKE SHOULD NOT generate certificates that contain this extension.
Korver Standards Track [Page 32]
RFC 4945 PKI Profile for IKE/ISAKMP/PKIX August 2007
5.1.3.15. FreshestCRL
IKE implementations MUST NOT assume that the FreshestCRL extension
will exist in peer certificates. Note that most IKE implementations
do not support delta CRLs.
5.1.3.16. AuthorityInfoAccess
The PKIX certificate profile defines the AuthorityInfoAccess
extension, which is used to indicate "how to access CA information
and services for the issuer of the certificate in which the extension
appears". Because this document deprecates the sending of CRLs in-
band, the use of AuthorityInfoAccess (AIA) becomes very important if
OCSP [16] is to be used for revocation checking (as opposed to CRLs).
The IPsec peer either needs to have a URI for the OCSP query written
into its local configuration, or it needs to learn it from AIA.
Therefore, implementations SHOULD support this extension, especially
if OCSP will be used.
5.1.3.17. SubjectInfoAccess
The PKIX certificate profile defines the SubjectInfoAccess
certificate extension, which is used to indicate "how to access
information and services for the subject of the certificate in which
the extension appears". This extension has no known use in the
context of IPsec. Conformant IKE implementations SHOULD ignore this
extension when present.
5.2. X.509 Certificate Revocation Lists
When validating certificates, IKE implementations MUST make use of
certificate revocation information, and SHOULD support such
revocation information in the form of CRLs, unless non-CRL revocation
information is known to be the only method for transmitting this
information. Deployments that intend to use CRLs for revocation
SHOULD populate the CRLDistributionPoints extension. Therefore,
Certification Authority implementations MUST support issuing
certificates with this field populated. IKE implementations MAY
provide a configuration option to disable use of certain types of
revocation information, but that option MUST be off by default. Such
an option is often valuable in lab testing environments.
Korver Standards Track [Page 33]
RFC 4945 PKI Profile for IKE/ISAKMP/PKIX August 2007
5.2.1. Multiple Sources of Certificate Revocation Information
IKE implementations that support multiple sources of obtaining
certificate revocation information MUST act conservatively when the
information provided by these sources is inconsistent: when a
certificate is reported as revoked by one trusted source, the
certificate MUST be considered revoked.
5.2.2. X.509 Certificate Revocation List Extensions
5.2.2.1. AuthorityKeyIdentifier
Certification Authority implementations SHOULD NOT assume that IKE
implementations support the AuthorityKeyIdentifier extension, and
thus should not generate certificate hierarchies which are overly
complex to process in the absence of this extension, such as those
that require possibly verifying a signature against a large number of
similarly named CA certificates in order to find the CA certificate
which contains the key that was used to generate the signature.
5.2.2.2. IssuerAltName
Certification Authority implementations SHOULD NOT assume that IKE
implementations support the IssuerAltName extension, and especially
should not assume that information contained in this extension will
be displayed to end users.
5.2.2.3. CRLNumber
As stated in the PKIX certificate profile, all issuers MUST include
this extension in all CRLs.
5.2.2.4. DeltaCRLIndicator
5.2.2.4.1. If Delta CRLs Are Unsupported
IKE implementations that do not support delta CRLs MUST reject CRLs
that contain the DeltaCRLIndicator (which MUST be marked critical
according to the PKIX certificate profile) and MUST make use of a
base CRL if it is available. Such implementations MUST ensure that a
delta CRL does not "overwrite" a base CRL, for instance, in the
keying material database.
Korver Standards Track [Page 34]
RFC 4945 PKI Profile for IKE/ISAKMP/PKIX August 2007
5.2.2.4.2. Delta CRL Recommendations
Since some IKE implementations that do not support delta CRLs may
behave incorrectly or insecurely when presented with delta CRLs,
administrators and deployers should consider whether issuing delta
CRLs increases security before issuing such CRLs. And, if all the
elements in the VPN and PKI systems do not adequately support Delta
CRLs, then their use should be questioned.
The editors are aware of several implementations that behave in an
incorrect or insecure manner when presented with delta CRLs. See
Appendix A for a description of the issue. Therefore, this
specification RECOMMENDS NOT issuing delta CRLs at this time. On the
other hand, failure to issue delta CRLs may expose a larger window of
vulnerability if a full CRL is not issued as often as delta CRLs
would be. See the Security Considerations section of the PKIX [5]
certificate profile for additional discussion. Implementers as well
as administrators are encouraged to consider these issues.
5.2.2.5. IssuingDistributionPoint
A CA that is using CRLDistributionPoints may do so to provide many
"small" CRLs, each only valid for a particular set of certificates
issued by that CA. To associate a CRL with a certificate, the CA
places the CRLDistributionPoints extension in the certificate, and
places the IssuingDistributionPoint in the CRL. The
distributionPointName field in the CRLDistributionPoints extension
MUST be identical to the distributionPoint field in the
IssuingDistributionPoint extension. At least one CA is known to
default to this type of CRL use. See Section 5.1.3.13 for more
information.
5.2.2.6. FreshestCRL
Given the recommendations against Certification Authority
implementations generating delta CRLs, this specification RECOMMENDS
that implementations do not populate CRLs with the FreshestCRL
extension, which is used to obtain delta CRLs.
5.3. Strength of Signature Hashing Algorithms
At the time that this document is being written, popular
certification authorities and CA software issue certificates using
the RSA-with-SHA1 and RSA-with-MD5 signature algorithms.
Implementations MUST be able to validate certificates with either of
those algorithms.
Korver Standards Track [Page 35]
RFC 4945 PKI Profile for IKE/ISAKMP/PKIX August 2007
As described in [17], both the MD5 and SHA-1 hash algorithms are
weaker than originally expected with respect to hash collisions.
Certificates that use these hash algorithms as part of their
signature algorithms could conceivably be subject to an attack where
a CA issues a certificate with a particular identity, and the
recipient of that certificate can create a different valid
certificate with a different identity. So far, such an attack is
only theoretical, even with the weaknesses found in the hash
algorithms.
Because of the recent attacks, there has been a heightened interest
in having widespread deployment of additional signature algorithms.
The algorithm that has been mentioned most often is RSA-with-SHA256,
two types of which are described in detail in [18]. It is widely
expected that this signature algorithm will be much more resilient to
collision-based attacks than the current RSA-with-SHA1 and RSA-with-
MD5, although no proof of that has been shown. There is active
discussion in the cryptographic community of better hash functions
that could be used in signature algorithms.
In order to interoperate, all implementations need to be able to
validate signatures for all algorithms that the implementations will
encounter. Therefore, implementations SHOULD be able to use
signatures that use the sha256WithRSAEncryption signature algorithm
(PKCS#1 version 1.5) as soon as possible. At the time that this
document is being written, there is at least one CA that supports
generating certificates with sha256WithRSAEncryption signature
algorithm, and it is expected that there will be significant
deployment of this algorithm by the end of 2007.
6. Configuration Data Exchange Conventions
Below, we present a common format for exchanging configuration data.
Implementations MUST support these formats, MUST support receiving
arbitrary whitespace at the beginning and end of any line, MUST
support receiving arbitrary line lengths although they SHOULD
generate lines less than 76 characters, and MUST support receiving
the following three line-termination disciplines: LF (US-ASCII 10),
CR (US-ASCII 13), and CRLF.
6.1. Certificates
Certificates MUST be Base64 [19] encoded and appear between the
following delimiters:
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
Korver Standards Track [Page 36]
RFC 4945 PKI Profile for IKE/ISAKMP/PKIX August 2007
6.2. CRLs and ARLs
CRLs and ARLs MUST be Base64 encoded and appear between the following
delimiters:
-----BEGIN CRL-----
-----END CRL-----
6.3. Public Keys
IKE implementations MUST support two forms of public keys:
certificates and so-called "raw" keys. Certificates should be
transferred in the same form as Section 6.1. A raw key is only the
SubjectPublicKeyInfo portion of the certificate, and MUST be Base64
encoded and appear between the following delimiters:
-----BEGIN PUBLIC KEY-----
-----END PUBLIC KEY-----
6.4. PKCS#10 Certificate Signing Requests
A PKCS#10 [9] Certificate Signing Request MUST be Base64 encoded and
appear between the following delimiters:
-----BEGIN CERTIFICATE REQUEST-----
-----END CERTIFICATE REQUEST-----
7. Security Considerations
7.1. Certificate Request Payload
The Contents of CERTREQ are not encrypted in IKE. In some
environments, this may leak private information. Administrators in
some environments may wish to use the empty Certification Authority
option to prevent such information from leaking, at the cost of
performance.
7.2. IKEv1 Main Mode
Certificates may be included in any message, and therefore
implementations may wish to respond with CERTs in a message that
offers privacy protection in Main Mode messages 5 and 6.
Implementations may not wish to respond with CERTs in the second
message, thereby violating the identity protection feature of Main
Mode in IKEv1.
Korver Standards Track [Page 37]
RFC 4945 PKI Profile for IKE/ISAKMP/PKIX August 2007
7.3. Disabling Certificate Checks
It is important to note that anywhere this document suggests
implementers provide users with the configuration option to simplify,
modify, or disable a feature or verification step, there may be
security consequences for doing so. Deployment experience has shown
that such flexibility may be required in some environments, but
making use of such flexibility can be inappropriate in others. Such
configuration options MUST default to "enabled" and it is appropriate
to provide warnings to users when disabling such features.
8. Acknowledgements
The authors would like to acknowledge the expired document "A PKIX
Profile for IKE" (July 2000) for providing valuable materials for
this document.
The authors would like to especially thank Eric Rescorla, one of its
original authors, in addition to Greg Carter, Steve Hanna, Russ
Housley, Charlie Kaufman, Tero Kivinen, Pekka Savola, Paul Hoffman,
and Gregory Lebovitz for their valuable comments, some of which have
been incorporated verbatim into this document. Paul Knight performed
the arduous task of converting the text to XML format.
9. References
9.1. Normative References
[1] Harkins, D. and D. Carrel, "The Internet Key Exchange (IKE)",
RFC 2409, November 1998.
[2] Maughan, D., Schneider, M., and M. Schertler, "Internet
Security Association and Key Management Protocol (ISAKMP)", RFC
2408, November 1998.
[3] Kaufman, C., "Internet Key Exchange (IKEv2) Protocol", RFC
4306, December 2005.
[4] Kent, S. and R. Atkinson, "Security Architecture for the
Internet Protocol", RFC 2401, November 1998.
[5] Housley, R., Polk, W., Ford, W., and D. Solo, "Internet X.509
Public Key Infrastructure Certificate and Certificate
Revocation List (CRL) Profile", RFC 3280, April 2002.
[6] Piper, D., "The Internet IP Security Domain of Interpretation
for ISAKMP", RFC 2407, November 1998.
Korver Standards Track [Page 38]
RFC 4945 PKI Profile for IKE/ISAKMP/PKIX August 2007
[7] Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels", BCP 14, RFC 2119, March 1997.
[8] Postel, J., "Internet Protocol", STD 5, RFC 791, September
1981.
[9] Nystrom, M. and B. Kaliski, "PKCS #10: Certification Request
Syntax Specification Version 1.7", RFC 2986, November 2000.
9.2. Informative References
[10] Deering, S. and R. Hinden, "Internet Protocol, Version 6 (IPv6)
Specification", RFC 2460, December 1998.
[11] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
"DNS Security Introduction and Requirements", RFC 4033, March
2005.
[12] Faltstrom, P., Hoffman, P., and A. Costello,
"Internationalizing Domain Names in Applications (IDNA)", RFC
3490, March 2003.
[13] Lynn, C., Kent, S., and K. Seo, "X.509 Extensions for IP
Addresses and AS Identifiers", RFC 3779, June 2004.
[14] Kent, S. and K. Seo, "Security Architecture for the Internet
Protocol", RFC 4301, December 2005.
[15] Fuller, V. and T. Li, "Classless Inter-domain Routing (CIDR):
The Internet Address Assignment and Aggregation Plan", BCP 122,
RFC 4632, August 2006.
[16] Myers, M., Ankney, R., Malpani, A., Galperin, S., and C. Adams,
"X.509 Internet Public Key Infrastructure Online Certificate
Status Protocol - OCSP", RFC 2560, June 1999.
[17] Hoffman, P. and B. Schneier, "Attacks on Cryptographic Hashes
in Internet Protocols", RFC 4270, November 2005.
[18] Schaad, J., Kaliski, B., and R. Housley, "Additional Algorithms
and Identifiers for RSA Cryptography for use in the Internet
X.509 Public Key Infrastructure Certificate and Certificate
Revocation List (CRL) Profile", RFC 4055, June 2005.
[19] Josefsson, S., "The Base16, Base32, and Base64 Data Encodings",
RFC 4648, October 2006.
Korver Standards Track [Page 39]
RFC 4945 PKI Profile for IKE/ISAKMP/PKIX August 2007
Appendix A. The Possible Dangers of Delta CRLs
The problem is that the CRL processing algorithm is sometimes written
incorrectly with the assumption that all CRLs are base CRLs and it is
assumed that CRLs will pass content validity tests. Specifically,
such implementations fail to check the certificate against all
possible CRLs: if the first CRL that is obtained from the keying
material database fails to decode, no further revocation checks are
performed for the relevant certificate. This problem is compounded
by the fact that implementations that do not understand delta CRLs
may fail to decode such CRLs due to the critical DeltaCRLIndicator
extension. The algorithm that is implemented in this case is
approximately:
o fetch newest CRL
o check validity of CRL signature
o if CRL signature is valid, then
o if CRL does not contain unrecognized critical extensions and
certificate is on CRL, then set certificate status to revoked
The authors note that a number of PKI toolkits do not even provide a
method for obtaining anything but the newest CRL, which in the
presence of delta CRLs may in fact be a delta CRL, not a base CRL.
Note that the above algorithm is dangerous in many ways. See the
PKIX [5] certificate profile for the correct algorithm.
Appendix B. More on Empty CERTREQs
Sending empty certificate requests is commonly used in
implementations, and in the IPsec interop meetings, vendors have
generally agreed that it means that send all/any end-entity
certificates you have (if multiple end-entity certificates are sent,
they must have same public key, as otherwise, the other end does not
know which key was used). For 99% of cases, the client has exactly
one certificate and public key, so it really doesn't matter, but the
server might have multiple; thus, it simply needs to say to the
client, use any certificate you have. If we are talking about
corporate VPNs, etc., even if the client has multiple certificates or
keys, all of them would be usable when authenticating to the server,
so the client can simply pick one.
If there is some real difference on which certificate to use (like
ones giving different permissions), then the client must be
configured anyway, or it might even ask the user which one to use
Korver Standards Track [Page 40]
RFC 4945 PKI Profile for IKE/ISAKMP/PKIX August 2007
(the user is the only one who knows whether he needs admin
privileges, thus needs to use admin cert, or if the normal email
privileges are ok, thus uses email only cert).
In 99% of the cases, the client has exactly one certificate, so it
will send it. In 90% of the rest of the cases, any of the
certificates is ok, as they are simply different certificates from
the same CA, or from different CAs for the same corporate VPN, thus
any of them is ok.
Sending empty certificate requests has been agreed there to mean
"give me your cert, any cert".
Justification:
o Responder first does all it can to send a CERTREQ with a CA, check
for IP match in SPD, have a default set of CAs to use in ambiguous
cases, etc.
o Sending empty CERTREQs is fairly common in implementations today,
and is generally accepted to mean "send me a certificate, any
certificate that works for you".
o Saves responder sending potentially hundreds of certs, the
fragmentation problems that follow, etc.
o In +90% of use cases, Initiators have exactly one certificate.
o In +90% of the remaining use cases, the multiple certificates it
has are issued by the same CA.
o In the remaining use case(s) -- if not all the others above -- the
Initiator will be configured explicitly with which certificate to
send, so responding to an empty CERTREQ is easy.
The following example shows why initiators need to have sufficient
policy definition to know which certificate to use for a given
connection it initiates.
EXAMPLE: Your client (initiator) is configured with VPN policies for
gateways A and B (representing perhaps corporate partners).
Korver Standards Track [Page 41]
RFC 4945 PKI Profile for IKE/ISAKMP/PKIX August 2007
The policies for the two gateways look something like:
Acme Company policy (gateway A)
Engineering can access 10.1.1.0
Trusted CA: CA-A, Trusted Users: OU=Engineering
Partners can access 20.1.1.0
Trusted CA: CA-B, Trusted Users: OU=AcmePartners
Bizco Company policy (gateway B)
Sales can access 30.1.1.0
Trusted CA: CA-C, Trusted Users: OU=Sales
Partners can access 40.1.1.0
Trusted CA: CA-B, Trusted Users: OU=BizcoPartners
You are an employee of Acme and you are issued the following
certificates:
o From CA-A: CN=JoeUser,OU=Engineering
o From CA-B: CN=JoePartner,OU=BizcoPartners
The client MUST be configured locally to know which CA to use when
connecting to either gateway. If your client is not configured to
know the local credential to use for the remote gateway, this
scenario will not work either. If you attempt to connect to Bizco,
everything will work... as you are presented with responding with a
certificate signed by CA-B or CA-C... as you only have a certificate
from CA-B you are OK. If you attempt to connect to Acme, you have an
issue because you are presented with an ambiguous policy selection.
As the initiator, you will be presented with certificate requests
from both CA-A and CA-B. You have certificates issued by both CAs,
but only one of the certificates will be usable. How does the client
know which certificate it should present? It must have sufficiently
clear local policy specifying which one credential to present for the
connection it initiates.
Author's Address
Brian Korver
Network Resonance, Inc.
2483 E. Bayshore Rd.
Palo Alto, CA 94303
US
Phone: +1 650 812 7705
EMail: briank@networkresonance.com
Korver Standards Track [Page 42]
RFC 4945 PKI Profile for IKE/ISAKMP/PKIX August 2007
Full Copyright Statement
Copyright (C) The IETF Trust (2007).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Acknowledgement
Funding for the RFC Editor function is currently provided by the
Internet Society.
Korver Standards Track [Page 43]